cyplo/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

move masto to cupsnet

Browse source
This commit is contained in:
Cyryl Płotnicki 2024-02-04 22:33:26 +00:00
parent 8f584835ac
commit e54bb9b7a9
9 changed files with 230 additions and 533 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

93
nixos/boxes/bolty/mastodon-db.sops.yaml
View file

@ -1,93 +0,0 @@
mastodon-db: ""
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEM2JVelR6K0Zjbm5ubjJD
MVV5NkdhaGl1eE5oUUp1bm1VQmEvTThPRkE0CkRtQ2k4WHhkTlhNQ25tN1V5VkR3
b3c0NzJuSFRLNnVRZUNkTml6dnRKMlUKLS0tIEt2UkFEVkFGbHFURkRONUlmMW0w
ZXNpZVh2eUpuRDZ3ZFhTcTAxU2FKWTAKuWxeWi10LGOBcDuruA1Nu2cbZ4ERN6B2
ujbcoKVN9nA+wy5+HgBxfOFQ78KvkuRmIKfbLvyRX/9Pg8v5o1Ybhg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSi9CNnFCQTdGTjlqWlY5
eS82NDV1WFpDOGNJZVJhblhVV0xPRGcwTmtzClFXQjVXNDZHVUFWVFNHQ1FOaGNM
SUxLTDZ0MXdrZVNsUUhkQUNWdStxUjgKLS0tIDlsNU9JUFFTOVdHcUxmMzVvNHUr
dnQ1T0FwMGtpdTBYODVBdHN5NjhtNHMKYb4+t8oyZ1lfFDIbjzGfiN7EihD7oef1
cna9lEwgfm19G1yiPjgszlPQwdjvSk6vlPNYcOT1KYisGnTtRHUCvw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcEpFUGE3bnBXYzlsZGl5
RFR6bU56VVZRT3ZIaXc5cDYyd28vMUtoVkhVCjlwbmRBMngvWC9FQ1VsK1dxOXNo
UExONjFxZTE4S0dIeDR0VWFndEg5eUkKLS0tIHQxNWFGVHRHUGdTWTN5aVFsWGpj
TjYzVkkvUDlEOWZCM3Y3TUpHMWp1MXMKAxvbXIc0SgUdbzZvV53kqbLG8uDaSoOw
G1GWOJcruJ+WywsxoVcd6UA01GgUOYg9bAaeEJuzABfBG9u2WmL6DQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aTE3VFpZdmZYNVh4Rkw3
Y2pXRXdWSUw2eWhHcEo1OFNnMEpRNjZzbUc0ClVGZXB2aWxXRUdZVmFWR0JDSitk
L0svd2RLb3A3QlV3ZG02TXQ3UkdlRXcKLS0tIDhVZTRHdDhJQ2ViSC9YU3ZIdURN
U3l2bjhjdktwWnpDSXFtWkp2cEFQa1kKy74uyFJcUf9L2EHcQ5RrymRFn5AsOtpQ
Ar1Tb+TCXsyXwMlXwqX5jTdKFxwpsgiT/GuE8mHjGOM9XoJPEHaoMA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVzRnN2xtOWw2dWlYZWR3
b2g2WVlDcVk3eGRrQkV0ZER1a1ZLcDF2QWdjCnlMWDhMbkdFZVBkMXNwZFBKTW5z
QWxNSzRkRDdlT1FsUWpRNktYME5mcXcKLS0tIEh5UHpVb1gyeng1eXFjNnZlcTc1
cVBMNDR6VmxTRTUzYTlETCtqTUZ6Nm8KSSlzWikCyVZsd1yzC8sq8e9UQnZhhQgl
jljUQOvLjDtjvmRMpTaAdGQuArVONWrk8UJheawo33BNL0lWyDSCcg==
-----END AGE ENCRYPTED FILE-----
- recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvQlNrNG5kRG1YRXhmbFRl
Q2tMZ1RBbTFmaUg4TmtxWkFTM3VqUHhkR1c4CkJEVzFqZXRDRndJd1FuQ0t2aXNt
YkZMbkhER1FKcWNaUWhpbWxxaSt2ZHcKLS0tIEJnSk9yeFRhckN2cEpUc3VXMGps
cXVqRWpJZk5zM1VPTVNzcFBSaG5pMU0KjIni2nzw98OgER95cOdzBrvuM80CdCzb
46FU071PAWBpgAH5SvIsI85At6fl0B8rKrce1nBSUDhvlnq4RbQpJA==
-----END AGE ENCRYPTED FILE-----
- recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWGtnR2ltS2I0R0p0VlV1
MUJyRTZsNUV0M0l6N2QrYnIyTHRrUmlmdERVCnBMU0MzNG5WQmpFcXpkM1BETFhn
RTV5R2ZZNFh6bEhkaVArenFobUZSUWcKLS0tIDUyUnpkQ29nbXdIaVhmN1dZWHhl
TERUMWJycHhWYXN0YzEwajBBVy9tYkEKSPZUnP65cRFgZdD7uHOyaMnMzPvuwHNf
7Q2Y0vCevwmppPt6TsNWWMKJUjWkdgAeAmmkKcSuaDi2EthdnxlwCQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTS2FRbm1VUEFhN1NFc3RB
QVRSRHBvbGdXcDVuanluaFZuUmlxSkJ2NHhRCi92ZGpWV0d2Z2ZMYnhyUTJlcDZB
YlhsQzdCYWRmV3RZOXdiVlpWZzJtcEUKLS0tIDhqaHFwTUR1bi91SldFeXloUExY
dFhJU3RmT204SitRazVRVEE1Y1plb2MKMv1gUa7xMixd6GyJWgous6gd6u/TPNpo
9BKtmf4F9VQRdrghf+dZgExsbqD+14wdVMmncWXDBt2/G9++kxngUQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6SlVhOTBZZHQxNWV0SnZj
eGJJNFhnV2hyY0xqaWNEVmtJdWZjMkxUNEVvCnpaL0xvaEh4TG1sTWtRdWdPSk94
SzIrZUFwNktObVNQalozbmd3Wnd6SEkKLS0tIE1WYWNTc2Z4bmlzOTRRakgzN0hK
U0lzVDRnQVV2Q0h2OHVKRmVhcVE5U2MKDGo89QvLMEehTjUowAa4kTXsqauGvZeP
eTw2bqpOkpVwdtMroHcz3Su8ZqDb+ejGE6n3GcwEUUuyPNSn/iE+hQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-26T12:03:57Z"
mac: ENC[AES256_GCM,data:9istsKh21b1w5UNXJyjbR8FmjLyZL+QiBNtfFyVtLv6/rc90NSFfXzq8jVTUA/DHkMNhe6Zt+ieCucc2+MjZoKX77JFMcJgPYzdrhT7Fzk9U+7XMIUN+vKuh3RRV9f6zNiGSHAwjN3Gz0yvFWxlrvZ4W1hpjpKQ6LKXkW0c2l88=,iv:dZQeInjC96GJpSppAez0/Ovte+zns/FSP7KY/5+dcpE=,tag:wajCNA52jC+PCpUmF8ctOQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

168
nixos/boxes/bolty/mastodon.nix
View file

@ -1,168 +0,0 @@
{
config,
pkgs,
inputs,
lib,
...
}: let
newestPackages = inputs.nixpkgs-master.legacyPackages.${pkgs.system};
package = newestPackages.mastodon;
domain = "peninsula.industries";
internalWebPort = 55002;
postgresPort = 5432;
path = "/data/mastodon";
mailgunSmtpSecretName = "mastodon-mailgun-smtp-password";
mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}";
mastodonDbSecretName = "mastodon-db";
mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}";
uid = 2049;
gid = 3049;
systemUserName = "mastodon";
systemGroupName = "mastodon";
users = {
users."${systemUserName}" = {
inherit uid;
isSystemUser = true;
isNormalUser = false;
group = systemGroupName;
};
groups."${systemGroupName}" = {
inherit gid;
members = ["${systemUserName}" "nginx"];
};
};
secretSettings = {
owner = systemUserName;
group = systemGroupName;
};
publicPath = "${path}/public-system/";
in {
imports = [../nginx.nix];
system.stateVersion = "23.11";
networking.firewall.allowedTCPPorts = [internalWebPort];
services.nginx = {
virtualHosts = {
"masto-system.internal.cyplo.dev" = {
root = "${publicPath}";
};
};
};
sops.secrets."${mailgunSmtpSecretName}" =
{
sopsFile = ./mailgun.sops.yaml;
path = mailgunSmtpPasswordPath;
}
// secretSettings;
sops.secrets."${mastodonDbSecretName}" =
{
sopsFile = ./mastodon-db.sops.yaml;
path = mastodonDbSecretPath;
}
// secretSettings;
inherit users;
systemd.services.mastodon-make-path = {
script = ''
mkdir -p ${path}
chown -R ${systemUserName}:${systemGroupName} ${path}
mkdir -p ${publicPath}
chmod -R o-rwx ${publicPath}
chmod -R g-rwx ${publicPath}
chmod -R g+X ${publicPath}
chmod -R g+r ${publicPath}
chmod -R u+rwX ${publicPath}
'';
serviceConfig = {Type = "oneshot";};
before = ["container@mastodon.service"];
};
containers.mastodon = {
autoStart = true;
hostAddress = "100.69.177.80";
forwardPorts = [
{
containerPort = internalWebPort;
hostPort = internalWebPort;
}
];
bindMounts = {
"/var/lib/mastodon" = {
hostPath = "${path}";
isReadOnly = false;
};
"${mailgunSmtpPasswordPath}" = {
hostPath = "${mailgunSmtpPasswordPath}";
isReadOnly = true;
};
"${mastodonDbSecretPath}" = {
hostPath = "${mastodonDbSecretPath}";
isReadOnly = true;
};
};
config = {
config,
pkgs,
lib,
...
}: {
system.stateVersion = "23.11";
services.postgresql.port = postgresPort;
users =
users
// {
mutableUsers = false;
allowNoPasswordLogin = true;
};
systemd.services.mastodon-media-auto-remove = {
description = "Mastodon media auto remove";
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
};
script = ''
/run/current-system/sw/bin/mastodon-tootctl media remove --days=8 --prune-profiles --include-follows -c1
/run/current-system/sw/bin/mastodon-tootctl media remove --days=8 --remove-headers --include-follows -c1
/run/current-system/sw/bin/mastodon-tootctl preview_cards remove --days=8
'';
startAt = "daily";
};
services.mastodon = {
enable = true;
inherit package;
localDomain = "${domain}";
user = systemUserName;
group = systemGroupName;
mediaAutoRemove.enable = false;
streamingProcesses = 2;
smtp = {
host = "smtp.eu.mailgun.org";
port = 465;
authenticate = true;
user = "postmaster@${domain}";
fromAddress = "Peninsula Industries Mastodon <mastodon@${domain}>";
createLocally = false;
passwordFile = "${mailgunSmtpPasswordPath}";
};
sidekiqThreads = 8;
extraConfig = {
SMTP_TLS = "true";
SMTP_ENABLE_STARTTLS_AUTO = "true";
SINGLE_USER_MODE = "true";
RAILS_SERVE_STATIC_FILES = "true";
AUTHORIZED_FETCH = "true";
DISALLOW_UNAUTHENTICATED_API_ACCESS = "true";
};
webPort = internalWebPort;
configureNginx = false;
enableUnixSocket = false;
database = {
port = postgresPort;
passwordFile = mastodonDbSecretPath;
};
};
};
};
}

0
nixos/boxes/vpsfree1/MASTODON.md → nixos/boxes/cupsnet/MASTODON.md
View file

1
nixos/boxes/cupsnet/default.nix
View file

@ -14,6 +14,7 @@
./disks.nix ./disks.nix
./foundryvtt.nix ./foundryvtt.nix
./gitea.nix ./gitea.nix
./mastodon.nix
./ssh.nix ./ssh.nix
./videos.nix ./videos.nix
]; ];

111
nixos/boxes/cupsnet/mastodon-db.sops.yaml Normal file
View file

@ -0,0 +1,111 @@
mastodon-db: ""
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdHoyVEhVTW1uMWJESDQ0
SjBITnNRWC83b2h4bFBPVnRkdXh1bEorL1hnCjVNbXJaaGEvVmt1Q2g2WVc4L1Mx
N1lCbHJoaTJNOUQ1dk8yb1U4allZRWMKLS0tIFcvVkFRejBXOTE3NkJvcVBpSjRt
TFBkTVl1WkVQYXhDSDVFNFMwMVZKekEKdXQZzqhX8zguTww+Bsm4t7yewcOP/trf
NZgJtxSqsuKRojUlcF3qWKNmsZLlYRbadXLYYQkXMOXgqbprfVVPEw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZWkNDcENsUmhzbGFiVUJJ
U1VjdjJZcU5jNGRFY1FzYS9CbzdSRjN5TEh3Cmpudm5QQlF3TkN5akRlMkpxMjdG
a0VNTjRFYlNIVzVjdTZXV1QxMmVyZmsKLS0tIDJnam9UREVONkkyMzBKWFArZGVH
TStxUW5BMHdlYmlRUG0wdEY4UVkydU0KFR5JTvNHYSV5qQ96YlXQafpqMyISYIC8
l5KTLOA/0v9pam4yqU/GPgk1Cjy9ILiejwqG6lZK5Kiga4mTvgKbog==
-----END AGE ENCRYPTED FILE-----
- recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cjFaWnVKTGQyMytOTW9V
NG4rWEhIV0FINSt0OEhGQ1NsVkFPdHJvQVJZCmhxUUNqVy9CL3BGT0FKTGd5Um5s
blZraUxMTXFQb0kzODhlTU5PQ2tBK2MKLS0tIERJc1NqbTVaZ2Qwa24rYUlXM2JT
T1hhbHBMdE5idm1aMGFadzBHU1BxSlEKriJHrdFueTHuA9KFy6bf6QFUq64tfFqk
1FYY1DEC6gbXo/u2enH0L3HI9rhkkCDBmjdym66eJxcK7TmR9c8W5g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRVBEVXJpRGYrR1pNWDJR
cUNyd3Y3T0N3aTltQ3MzbHpvR2djOExRQ1dBClAvMVozNkMzOUFhS0pDSURFVkNm
S0tCZ09Lcys4WVJaSDNERHhMQWU5a2sKLS0tIGxzS2p3ZUhqMk9Ddy9JU1hMS2Fr
Q3ZmZ3dNWjJnVE14bWFnaExRaXZYbjAKIB8pOI/1szONZVS7vD3K2ZyPISw7gOey
ukcbddEPPFWUD24eMksBRReISarzq3Myqw7nRVqxvRP+JTgIa49pWA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNnNHZlpsVGllOVU0ZlJ5
cDVDdmpPUXdod3QxbnpxcENtZTNkYll1WkhrClRNU2dQeG4ya1lDZTRyUCtVNGsy
SzBIZDNnK2lMOHhPUk1BTHUyZFJQeHMKLS0tIFJhbTgzdktYV0hVeGwzTzhYTG95
QzRqNWpseG9iNVpzYzcraEZPYktRaEUKhRti44yCso/a/3TdLsp+gkrm/8f09AGa
2ZDdNChn8VzQyEjElT4LkyXJkrXsEB/Sj3E9u2LOOYnDHtjBkD+sCA==
-----END AGE ENCRYPTED FILE-----
- recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjN2Nlb3FXVGpkbGFyM0E1
MFlBZnhubytxbWdtWkxiblRxMWVJcUNBWlZJClRPRGdzdVZnVC9vOTRKeEpNYkFP
bXEyTWhKL3pzUFBwaUNKSnJZbnlvN2cKLS0tIHBiemZjVHNUOExiYkVSdVlUZFdG
QjNiK0dzN3FxOWhyVk40NXZFcHFKRzQKsOW45uPXZbZWhXt88M55Ov2D+2Rd95OC
hIUuk5+6SfAy7FIgnAOfA/2369OcyBOodPdVgQwKfD5sowwVsFHSHg==
-----END AGE ENCRYPTED FILE-----
- recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTHBob0dPbTlTeU1kSnZi
OUJvWTNCRmhKZWhObXU3QlhrRE0vZUdYeWxnClpMb2VtZ0t0dFE2dmFzbytxeVBQ
dTVkSW1EMkc4dzhNcFluaDl6cjk1VE0KLS0tIEx1SXMva2twTHBJVGhJL0ZYVUp5
clRNWVRiTktHVDFGWmNmTkdXOStSdTQKkdgVVedpeBag+NexPOrpz3e5RqBbTXJR
2aawOQ22hwi+sY/ec8asPDZBXx9nvGxRIZZpBjaN7S90SfZu1S6g0g==
-----END AGE ENCRYPTED FILE-----
- recipient: age18vg9wvmj2jc8tdcyc202v46lvfndqfe3dse2hewx0snalpvk43fqc22n6y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaSUVMa0VLY2R3K0x0aW1t
bWxBU3VGQUZaUVJsUm15RlFkUHpLUUZka1MwCmVPYTFJckJBNmgvK3dWcHZ4c0JT
MDhoa3ZXT1Irc01zZDZOTnNYWHlEY28KLS0tIEZReUVKWDlPdlRvR01tRnkxeDRr
WTNKUnZjd1E5YWIwK2IrZWFSd2Q1RzQK/Q+UtKH7ZDi+c2RGRZd9VFwRRyKO4mLp
1jPjlZsRcHYEmFVohQtqMLadHc2AOhcJDn9pk5qXwnEkKfDX6yaZjA==
-----END AGE ENCRYPTED FILE-----
- recipient: age108m6yx77k7aqcyesy4zmkulryzvyep6m92pflmldcnv3w5a0k9xqn5h7cx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVG44NksxeDh2TEwvT2NL
SDJaVzJqNUVzbEMxaDd5VDNUZG8rdUNjZDFZCk5zQ0NtM3ZCbEZEUm43WTIwVmVL
YUxjTUdOVEVLU25KbmtySm1ZMWEwSncKLS0tIG80K1ZsYVQyQnY1b1dlOEZjU2Iw
aHo4eklKRDA1SHV5WHJlSWZBK2VEYjQKkIyoSU1zfx440OhDXMhwtNhAah9d4IrR
Dof/0gD6KXfM9Tn77SvfGAW++V/JdwvfHlU2jnk3zaEGechI6SZiEg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubFBvYjNPVHUva0ZpU2NW
b2oxWE1NQUc4REE1U3dZemxPUVVVaWdCNkZJCncwc01YUlB3Z2h3Um5QT1dVNlJE
VXcwTFlmWUNxZEg3VFJlT2pLNjNLV3MKLS0tIGZUand3THlWTk0xeGpoN0R6N2x6
M2haWW9uWkJzeGpwejIzOFR2R1R4YUkKUSoykoO4tdXHhZ1BaUVDfTY27nduRo4o
7nvHlbqqd15FE2HbHqdSmBFsDIIuoNt1QKjXe87ICzYNHkmjYzXxEA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjeklXZzRoZzBaUS94cG8y
KzdYcis5eHVVQ2dLVlJlYUt3RzlyY2JPR1dNCmN2bFlPY3NDWlNKS1Y0SldINWhv
b0U0SXpJdzZJVGFSTjFqR3VBMERFV2cKLS0tIGdvMU9JMHVWc1V2RTlYRVcvbE5I
bmYwVWlacVNUUmZKM3I2Vi90RDVEUU0KkJDXWC60A+F4ByVrENQ8hKeD3puSiApe
D/B4WDiIxTR2s1BH/ViaPMsQWI2gCSd6kAEjjHhG11mS5uJFzWoR7A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-04T22:28:51Z"
mac: ENC[AES256_GCM,data:7lS6+2M0zQrL74F3zTj6PKIZD+IOxjYFZCutc+4fPkvp+jriFkBw7DyF5BllXsDxf7zazhbbVWJsi5LpYVGl/5C6NelVwnDG25tmTmObHt02fzM2BElfuEN2G/3Vk+FXC0bsST0jZkuWh3m4r/8VTj0Uj+gnGiRUHJHpOq+A/YY=,iv:M7nEQWzG8b0z0OcZCvd4OGpGpRKRZs0JnZw7hFgjL+c=,tag:AZ4gMEOoU3kbQ98Kq1SGWg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

118
nixos/boxes/cupsnet/mastodon.nix Normal file
View file

@ -0,0 +1,118 @@
{
config,
pkgs,
inputs,
lib,
...
}: let
newestPackages = inputs.nixpkgs-master.legacyPackages.${pkgs.system};
package = newestPackages.mastodon;
domain = "peninsula.industries";
path = "/var/lib/mastodon/";
mailgunSmtpSecretName = "mastodon-mailgun-smtp-password";
mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}";
mastodonDbSecretName = "mastodon-db";
mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}";
uid = 2049;
gid = 3049;
systemUserName = "mastodon";
systemGroupName = "mastodon";
users = {
users."${systemUserName}" = {
inherit uid;
isSystemUser = true;
isNormalUser = false;
group = systemGroupName;
};
groups."${systemGroupName}" = {
inherit gid;
members = ["${systemUserName}" "nginx"];
};
};
tootctlPath = "/run/current-system/sw/bin/mastodon-tootctl";
secretSettings = {
owner = systemUserName;
group = systemGroupName;
};
publicPath = "${path}/public-system/";
in {
imports = [../nginx.nix];
sops.secrets."${mailgunSmtpSecretName}" =
{
sopsFile = ./mailgun.sops.yaml;
path = mailgunSmtpPasswordPath;
}
// secretSettings;
sops.secrets."${mastodonDbSecretName}" =
{
sopsFile = ./mastodon-db.sops.yaml;
path = mastodonDbSecretPath;
}
// secretSettings;
inherit users;
systemd.services.mastodon-make-path = {
script = ''
mkdir -p ${path}
chown -R ${systemUserName}:${systemGroupName} ${path}
mkdir -p ${publicPath}
chmod -R o-rwx ${publicPath}
chmod -R g-rwx ${publicPath}
chmod -R g+X ${publicPath}
chmod -R g+r ${publicPath}
chmod -R u+rwX ${publicPath}
'';
serviceConfig = {Type = "oneshot";};
before = ["container@mastodon.service"];
};
systemd.services.mastodon-media-auto-remove = {
description = "Mastodon media auto remove";
serviceConfig = {
User = systemUserName;
Group = systemGroupName;
Type = "oneshot";
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
};
script = ''
${tootctlPath} media remove --days=8 --prune-profiles --include-follows -c1
${tootctlPath} media remove --days=8 --remove-headers --include-follows -c1
${tootctlPath} preview_cards remove --days=8
'';
startAt = "daily";
};
services.mastodon = {
enable = true;
inherit package;
localDomain = "${domain}";
user = systemUserName;
group = systemGroupName;
mediaAutoRemove.enable = false;
streamingProcesses = 2;
smtp = {
host = "smtp.eu.mailgun.org";
port = 465;
authenticate = true;
user = "postmaster@${domain}";
fromAddress = "Peninsula Industries Mastodon <mastodon@${domain}>";
createLocally = false;
passwordFile = "${mailgunSmtpPasswordPath}";
};
sidekiqThreads = 8;
extraConfig = {
SMTP_TLS = "true";
SMTP_ENABLE_STARTTLS_AUTO = "true";
SINGLE_USER_MODE = "true";
RAILS_SERVE_STATIC_FILES = "true";
AUTHORIZED_FETCH = "true";
DISALLOW_UNAUTHENTICATED_API_ACCESS = "true";
};
configureNginx = true;
enableUnixSocket = true;
database = {
passwordFile = mastodonDbSecretPath;
};
};
}

1
nixos/boxes/vpsfree1/default.nix
View file

@ -7,7 +7,6 @@
../nginx.nix ../nginx.nix
../send-logs.nix ../send-logs.nix
./backups.nix ./backups.nix
./mastodon.nix
./rss.nix ./rss.nix
./ssh.nix ./ssh.nix
./syncthing-relay.nix ./syncthing-relay.nix

93
nixos/boxes/vpsfree1/mastodon-db.sops.yaml
View file

@ -1,93 +0,0 @@
mastodon-db: ""
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEM2JVelR6K0Zjbm5ubjJD
MVV5NkdhaGl1eE5oUUp1bm1VQmEvTThPRkE0CkRtQ2k4WHhkTlhNQ25tN1V5VkR3
b3c0NzJuSFRLNnVRZUNkTml6dnRKMlUKLS0tIEt2UkFEVkFGbHFURkRONUlmMW0w
ZXNpZVh2eUpuRDZ3ZFhTcTAxU2FKWTAKuWxeWi10LGOBcDuruA1Nu2cbZ4ERN6B2
ujbcoKVN9nA+wy5+HgBxfOFQ78KvkuRmIKfbLvyRX/9Pg8v5o1Ybhg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSi9CNnFCQTdGTjlqWlY5
eS82NDV1WFpDOGNJZVJhblhVV0xPRGcwTmtzClFXQjVXNDZHVUFWVFNHQ1FOaGNM
SUxLTDZ0MXdrZVNsUUhkQUNWdStxUjgKLS0tIDlsNU9JUFFTOVdHcUxmMzVvNHUr
dnQ1T0FwMGtpdTBYODVBdHN5NjhtNHMKYb4+t8oyZ1lfFDIbjzGfiN7EihD7oef1
cna9lEwgfm19G1yiPjgszlPQwdjvSk6vlPNYcOT1KYisGnTtRHUCvw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcEpFUGE3bnBXYzlsZGl5
RFR6bU56VVZRT3ZIaXc5cDYyd28vMUtoVkhVCjlwbmRBMngvWC9FQ1VsK1dxOXNo
UExONjFxZTE4S0dIeDR0VWFndEg5eUkKLS0tIHQxNWFGVHRHUGdTWTN5aVFsWGpj
TjYzVkkvUDlEOWZCM3Y3TUpHMWp1MXMKAxvbXIc0SgUdbzZvV53kqbLG8uDaSoOw
G1GWOJcruJ+WywsxoVcd6UA01GgUOYg9bAaeEJuzABfBG9u2WmL6DQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aTE3VFpZdmZYNVh4Rkw3
Y2pXRXdWSUw2eWhHcEo1OFNnMEpRNjZzbUc0ClVGZXB2aWxXRUdZVmFWR0JDSitk
L0svd2RLb3A3QlV3ZG02TXQ3UkdlRXcKLS0tIDhVZTRHdDhJQ2ViSC9YU3ZIdURN
U3l2bjhjdktwWnpDSXFtWkp2cEFQa1kKy74uyFJcUf9L2EHcQ5RrymRFn5AsOtpQ
Ar1Tb+TCXsyXwMlXwqX5jTdKFxwpsgiT/GuE8mHjGOM9XoJPEHaoMA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVzRnN2xtOWw2dWlYZWR3
b2g2WVlDcVk3eGRrQkV0ZER1a1ZLcDF2QWdjCnlMWDhMbkdFZVBkMXNwZFBKTW5z
QWxNSzRkRDdlT1FsUWpRNktYME5mcXcKLS0tIEh5UHpVb1gyeng1eXFjNnZlcTc1
cVBMNDR6VmxTRTUzYTlETCtqTUZ6Nm8KSSlzWikCyVZsd1yzC8sq8e9UQnZhhQgl
jljUQOvLjDtjvmRMpTaAdGQuArVONWrk8UJheawo33BNL0lWyDSCcg==
-----END AGE ENCRYPTED FILE-----
- recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvQlNrNG5kRG1YRXhmbFRl
Q2tMZ1RBbTFmaUg4TmtxWkFTM3VqUHhkR1c4CkJEVzFqZXRDRndJd1FuQ0t2aXNt
YkZMbkhER1FKcWNaUWhpbWxxaSt2ZHcKLS0tIEJnSk9yeFRhckN2cEpUc3VXMGps
cXVqRWpJZk5zM1VPTVNzcFBSaG5pMU0KjIni2nzw98OgER95cOdzBrvuM80CdCzb
46FU071PAWBpgAH5SvIsI85At6fl0B8rKrce1nBSUDhvlnq4RbQpJA==
-----END AGE ENCRYPTED FILE-----
- recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWGtnR2ltS2I0R0p0VlV1
MUJyRTZsNUV0M0l6N2QrYnIyTHRrUmlmdERVCnBMU0MzNG5WQmpFcXpkM1BETFhn
RTV5R2ZZNFh6bEhkaVArenFobUZSUWcKLS0tIDUyUnpkQ29nbXdIaVhmN1dZWHhl
TERUMWJycHhWYXN0YzEwajBBVy9tYkEKSPZUnP65cRFgZdD7uHOyaMnMzPvuwHNf
7Q2Y0vCevwmppPt6TsNWWMKJUjWkdgAeAmmkKcSuaDi2EthdnxlwCQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTS2FRbm1VUEFhN1NFc3RB
QVRSRHBvbGdXcDVuanluaFZuUmlxSkJ2NHhRCi92ZGpWV0d2Z2ZMYnhyUTJlcDZB
YlhsQzdCYWRmV3RZOXdiVlpWZzJtcEUKLS0tIDhqaHFwTUR1bi91SldFeXloUExY
dFhJU3RmT204SitRazVRVEE1Y1plb2MKMv1gUa7xMixd6GyJWgous6gd6u/TPNpo
9BKtmf4F9VQRdrghf+dZgExsbqD+14wdVMmncWXDBt2/G9++kxngUQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6SlVhOTBZZHQxNWV0SnZj
eGJJNFhnV2hyY0xqaWNEVmtJdWZjMkxUNEVvCnpaL0xvaEh4TG1sTWtRdWdPSk94
SzIrZUFwNktObVNQalozbmd3Wnd6SEkKLS0tIE1WYWNTc2Z4bmlzOTRRakgzN0hK
U0lzVDRnQVV2Q0h2OHVKRmVhcVE5U2MKDGo89QvLMEehTjUowAa4kTXsqauGvZeP
eTw2bqpOkpVwdtMroHcz3Su8ZqDb+ejGE6n3GcwEUUuyPNSn/iE+hQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-26T12:03:57Z"
mac: ENC[AES256_GCM,data:9istsKh21b1w5UNXJyjbR8FmjLyZL+QiBNtfFyVtLv6/rc90NSFfXzq8jVTUA/DHkMNhe6Zt+ieCucc2+MjZoKX77JFMcJgPYzdrhT7Fzk9U+7XMIUN+vKuh3RRV9f6zNiGSHAwjN3Gz0yvFWxlrvZ4W1hpjpKQ6LKXkW0c2l88=,iv:dZQeInjC96GJpSppAez0/Ovte+zns/FSP7KY/5+dcpE=,tag:wajCNA52jC+PCpUmF8ctOQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

178
nixos/boxes/vpsfree1/mastodon.nix
View file

@ -1,178 +0,0 @@
{
config,
pkgs,
inputs,
lib,
...
}: let
newestPackages = inputs.nixpkgs-master.legacyPackages.${pkgs.system};
package = newestPackages.mastodon;
domain = "peninsula.industries";
webPort = 55001;
postgresPort = 5432;
path = "/var/lib/mastodon/";
mailgunSmtpSecretName = "mastodon-mailgun-smtp-password";
mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}";
mastodonDbSecretName = "mastodon-db";
mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}";
uid = 2049;
gid = 3049;
systemUserName = "mastodon";
systemGroupName = "mastodon";
users = {
users."${systemUserName}" = {
inherit uid;
isSystemUser = true;
isNormalUser = false;
group = systemGroupName;
};
groups."${systemGroupName}" = {
inherit gid;
members = ["${systemUserName}" "nginx"];
};
};
tootctlPath = "/run/current-system/sw/bin/mastodon-tootctl";
secretSettings = {
owner = systemUserName;
group = systemGroupName;
};
publicPath = "${path}/public-system/";
in {
imports = [../nginx.nix];
services.nginx = {
virtualHosts = {
"${domain}" = {
forceSSL = true;
enableACME = true;
root = "${package}/public/";
locations."/" = {tryFiles = "$uri @proxy";};
locations."/system/".alias = "${publicPath}";
locations."@proxy" = {
proxyPass = "http://127.0.0.1:" + toString webPort;
proxyWebsockets = true;
};
};
};
};
sops.secrets."${mailgunSmtpSecretName}" =
{
sopsFile = ./mailgun.sops.yaml;
path = mailgunSmtpPasswordPath;
}
// secretSettings;
sops.secrets."${mastodonDbSecretName}" =
{
sopsFile = ./mastodon-db.sops.yaml;
path = mastodonDbSecretPath;
}
// secretSettings;
inherit users;
systemd.services.mastodon-make-path = {
script = ''
mkdir -p ${path}
chown -R ${systemUserName}:${systemGroupName} ${path}
mkdir -p ${publicPath}
chmod -R o-rwx ${publicPath}
chmod -R g-rwx ${publicPath}
chmod -R g+X ${publicPath}
chmod -R g+r ${publicPath}
chmod -R u+rwX ${publicPath}
'';
serviceConfig = {Type = "oneshot";};
before = ["container@mastodon.service"];
};
containers.mastodon = {
autoStart = true;
forwardPorts = [
{
containerPort = webPort;
hostPort = webPort;
}
];
bindMounts = {
"${path}" = {
hostPath = "${path}";
isReadOnly = false;
};
"${mailgunSmtpPasswordPath}" = {
hostPath = "${mailgunSmtpPasswordPath}";
isReadOnly = true;
};
"${mastodonDbSecretPath}" = {
hostPath = "${mastodonDbSecretPath}";
isReadOnly = true;
};
};
config = {
config,
pkgs,
lib,
...
}: {
system.stateVersion = "23.11";
services.postgresql.port = postgresPort;
users =
users
// {
mutableUsers = false;
allowNoPasswordLogin = true;
};
systemd.services.mastodon-media-auto-remove = {
description = "Mastodon media auto remove";
serviceConfig = {
User = systemUserName;
Group = systemGroupName;
Type = "oneshot";
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
};
script = ''
${tootctlPath} media remove --days=8 --prune-profiles --include-follows -c1
${tootctlPath} media remove --days=8 --remove-headers --include-follows -c1
${tootctlPath} preview_cards remove --days=8
'';
startAt = "daily";
};
services.mastodon = {
enable = true;
inherit package;
localDomain = "${domain}";
user = systemUserName;
group = systemGroupName;
mediaAutoRemove.enable = false;
streamingProcesses = 2;
smtp = {
host = "smtp.eu.mailgun.org";
port = 465;
authenticate = true;
user = "postmaster@${domain}";
fromAddress = "Peninsula Industries Mastodon <mastodon@${domain}>";
createLocally = false;
passwordFile = "${mailgunSmtpPasswordPath}";
};
sidekiqThreads = 8;
extraConfig = {
SMTP_TLS = "true";
SMTP_ENABLE_STARTTLS_AUTO = "true";
SINGLE_USER_MODE = "true";
RAILS_SERVE_STATIC_FILES = "true";
AUTHORIZED_FETCH = "true";
DISALLOW_UNAUTHENTICATED_API_ACCESS = "true";
};
inherit webPort;
configureNginx = false;
enableUnixSocket = false;
database = {
port = postgresPort;
passwordFile = mastodonDbSecretPath;
};
};
};
};
}